Menu
▾
▴
Re: [Ejbca-develop] 'Allow Subject DN override' and web service call
|
From: Nikita B. <nik...@gs...> - 2017-02-08 09:40:34
|
Hi, I know this must be the very basic requirement to get the certificate with subject DN overridden. But I have tried my best with all settings but no clue whats going wrong. I have a user 'user1' which is created with a 'Client endentity profile' which uses default cert profile as 'Client Cert Profile'. This certificate profile has 'Allow subject DN override by CSR' and 'Allow subject DN override by End Entity Information' checked. In the case where both are checked, documentation says that DN will be overriden by CSR. Now I make this SOAP call for pkcs10Request: Body: <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ws="http://ws.protocol.core.ejbca.org/"> <soapenv:Header/> <soapenv:Body> <ws:pkcs10Request> <!--Optional:--> <arg0>user1</arg0> <!--Optional:--> <arg1>password</arg1> <!--Optional:--> <arg2>-----BEGIN CERTIFICATE REQUEST----- MIICkzCCAXsCAQAwTjELMAkGA1UEBhMCT08xCzAJBgNVBAgMAktLMQswCQYDVQQH DAJQUDELMAkGA1UECgwCSkoxCzAJBgNVBAsMAkxMMQswCQYDVQQDDAJLSzCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOvNjuie1L0SwkomYo+L7NIJLOHQ nfc2T40eJPFGwek3anbgNFrLedFX0MFgW8k2JQM6CF14xa88z8pSaecsr46yJIhF Cn+440zN3ecRy6k7umotmuYMtqGc7Hl2Y+S/+GSNo+UHR1QMkD30iU15S7FVEII0 2O9y74yaMZgP4PCIeiGSxngybMY4p3TQEXHmnPg4Or8my2OcYZDIQ6Jr4opZjsPB fJvVgl746KseurPG7dRXD+U+4eicDU6JISm1btpa/RqdAZhNvVSyyEvScyF72jFW LqNnrVdDibSPcSZpEXnwotsy4MCLMhBmNEAmNkWOTia5wv+0wVWIo1NLum8CAwEA AaAAMA0GCSqGSIb3DQEBCwUAA4IBAQB9KtGBwZA7W+haj6OUXsj83qTKLv+o3cjk RPDqVYIRaRQqcacf5z9TXLH1+gQ63Q1RZzG6U9t4TnhzitVQxa2nSk0k/mNTrecp 1G+pqRg1eQ91Yq/fbAg5gOc4tHXcNwGJ/WvbMJYmQ1OOHgzxn1IYM1yEz6ZqgsEC EtiGlRlfEBO4TAdHcf/HVgOWXVsCP+QF7/ibk8q6BYbGZGpzSZ/ZLSDtauKxpP8z ++VLGGTuIO4CMLuqDzhHtmnGD0EzwdKf8koeLfAXSj5AjfWUrVJA1P7xoZfUJrg/ fLK3lnrKOP6K5CG1HyCvJt4c8NFqgdH22LMtWJ113QKgPtGZzWAu -----END CERTIFICATE REQUEST-----</arg2> <!--Optional:--> <arg3></arg3> <!--Optional:--> <arg4>CERTIFICATE</arg4> </ws:pkcs10Request> </soapenv:Body> </soapenv:Envelope> I even made call without '-----BEGIN CERTIFICATE REQUEST-----' and '-----END CERTIFICATE REQUEST-----' but no success. In both cases, the certificate generated still uses the subject DN which was used while creating the user. I tried this webservice call using SOAP-UI as well as eclipse code. Only when the call is made using public web 'Create certificate from CSR' or cli command, the subject DN is overriden. For some reason unable to achieve it through web service call. Kindly guide me if I am doing anything wrong here. Regards, Nikita Bedmutha Software Engineer | m: +91 94042 02790 | [image: G] G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory <http://www.gslab.com/> On Fri, Feb 3, 2017 at 5:35 AM, Tomas Gustavsson <to...@pr...> wrote: > > This is very common to do this using WS so there is probably something > wrong with your call. Are you using the correct certificate profile in > your WS call? > > Debug logging will show in detail all decisions egarding override or not > that is takes during certificate issuance. > > Regards, > Tomas > --- > RSA Conference 2017 > ------------------------------------------------------------------ > San Francisco | February 13-17 | Moscone Center > Come visit us in booth #627 at RSA Conference 2017! > > Want a free expo pass? > Go to https://www.rsaconference.com/events/us17/register > and use the code: XE7PRMKEY > > On 2017-02-02 04:44, Nikita Bedmutha wrote: > > Sorry for spamming, but just correcting the query: > > > > I want to make a certificate request which uses the subject DN from CSR > > and not the registered end entity subject DN . I am using the > > certificate profile which has 'Allow subject DN override by CSR' > > checked. However the web service requests 'pkcs10Request' as well as > > 'certificateRequest' do not return certificates with subject DN > > overridden by the CSR but uses the registered DN only. > > > > On the other hand, using the same CSR, the public web call 'Create > > Certificate from CSR' as well as the 'createcert' CLI command generates > > a certificate which has the subject DN overridden by the CSR. > > > > Your inputs would really be very helpful. > > Thanks. > > > > Regards, > > Nikita Bedmutha > > > > > > > > On Wed, Feb 1, 2017 at 4:50 PM, Nikita Bedmutha > > <nik...@gs... <mailto:nik...@gs...>> wrote: > > > > Hi, > > > > I have a user(end-entity) created using a certificate profile which > > has 'Allow Subject DN override' checked. This end-entity is > > registered with Token as User Generated. > > When I use 'Create Certificate from CSR' option on public web, I get > > the certificate with the subject DN used while creating the CSR and > > not the registered DN. > > Now I want to achieve same using web service call. I tried the > > 'certificateRequest' and 'pkcs10' request with the same CSR that I > > used in previous Public web call. But in the web service call case, > > I get certificate with the registered DN and not overridden by the > CSR. > > > > Kindly guide me how to achieve this. > > > > Thanks and Regards, > > Nikita > > > > > > > > > > ------------------------------------------------------------ > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > > > > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
